KR102295471B1 - METHOD AND SYSTEM FOR AUTHENTICATING TOKEN FOR IoT DEVICE BASED ON PRIVATE BLOCKCHAIN - Google Patents

Abstract

The present disclosure provides a token authentication and authorization system for a private blockchain-based IoT device. The system includes a front-end unit including a user interface for receiving at least one of a user registration request, a user authentication request, and a device authentication request inputted from a user terminal, and outputting a result of executing the request, and from the front-end unit and a backend unit that receives the request and executes at least one of user registration, user authentication, and device authentication. The backend unit provides a plurality of blockchain nodes including a smart contract capable of executing user registration, user authentication and device authentication, and an API (application programming interface) for executing the user registration, user authentication and device authentication. an API node, wherein, in response to the request, the API node provides an execution result of at least one of the user registration, user authentication, and device authentication using the API.

Description

Token authentication and authorization method and system for private blockchain-based IoT devices

The present invention relates to a token authentication and authorization method system for a private blockchain-based IoT device, and more specifically, to execute user registration and authentication based on a distributed ledger, and to an IoT device and an IoT device based on authentication and registered user information A method and system for issuing a certificate for a platform.

Blockchain technology is a technology that records and stores transaction details made over network communication in a reliable and secure way. A blockchain network is a system in a distributed environment that allows the exchange of digitized assets or transactions, and uses a shared ledger to record electronic transaction history generated in a peer-to-peer (P2P) network. record Blockchain networks use a decentralized or decentralized consensus mechanism. In particular, all validating nodes on the network approve (or disapprove) the transaction by executing the same (or agreed upon) consensus algorithm on the same transaction. Since the blockchain P2P network uses such a decentralized structure and consensus algorithm, it is virtually impossible to forge or falsify the transaction details by a third party, thereby guaranteeing the reliability and transparency of the transaction details.

The blockchain can be divided into a public blockchain that is open to general users and a private blockchain that can only be accessed by limited users. In general, public blockchains are large and have a problem that it takes a lot of time and money to create and reference blocks. In order to solve this problem, only transactions by a limited number of nodes are recorded, so a private blockchain is used that is fast and does not generate fees.

On the other hand, the Internet of Things (IoT) refers to a technology or environment that collects data of objects or their surroundings using devices with limited resources such as sensors, and transmits and receives the collected data through a wireless network. applied and used in the field. For example, IoT devices and platforms may be used for the purpose of providing specific services by collecting and analyzing surrounding data in various fields such as smart factories, medical facilities, autonomous vehicles, and financial payment services.

However, when IoT devices and platforms are connected to a wireless network such as an open Internet network, IoT devices connected to the network can be targeted for malicious attacks. Accordingly, authentication and registration of IoT devices and users may be required to solve security problems of devices connected to the Internet of Things.

IoT devices and platforms are used to provide specific services (eg, big data analysis, smart factory and vehicle control, operation analysis and monitoring of medical devices, etc.) by collecting and analyzing data of objects or their surroundings. However, IoT devices and platforms connected to an open wireless network such as the Internet may have security vulnerabilities against external attacks such as hacking, and device registration and authentication through the IoT platform and authorization of an administrator or user for this purpose and We need a way to safely execute the authentication process.

In order to solve the problems of the prior art, the present disclosure provides a method and system for registering and authenticating a device in an IoT platform and executing an administrator or user's authorization check and authentication procedure for this using a private block chain do.

According to an embodiment of the present disclosure, the token authentication and authorization system of the private blockchain-based IoT device receives at least one of a user registration request, a user authentication request, and a device authentication request input from a user terminal, and executes the request a front-end unit including a user interface for outputting a result; and a back-end unit that receives the request from the front-end unit and executes at least one of user registration, user authentication, and device authentication, wherein the back-end unit includes a smart contract capable of executing user registration, user authentication, and device authentication. A plurality of blockchain nodes comprising: an API node providing an API (application programming interface) for executing the user registration, user authentication, and device authentication, wherein the API node is is used to provide execution results of at least one of the user registration, user authentication, and device authentication.

According to another embodiment of the present disclosure, in a token authentication and authorization method of a private blockchain-based IoT device, receiving at least one of a user registration request, a user authentication request, and a device authentication request input from a user terminal by a front-end unit to do; and executing, by the backend unit, at least one of user registration, user authentication, and device authentication when receiving the request from the frontend unit, wherein the backend unit may execute user registration, user authentication and device authentication It includes a plurality of blockchain nodes including smart contracts, and an API node that provides an application programming interface (API) for executing the user registration, user authentication, and device authentication.

According to various embodiments of the present disclosure, by executing the registration and authentication of a device in the IoT platform using a private block chain in which access rights are given to a restricted user, and an administrator or user authorization check and authentication procedure for this, the IoT platform Security and safety can be improved.

1 is a diagram illustrating the configuration of a token authentication and authorization system of a private blockchain-based IoT device according to an embodiment of the present disclosure.
2 is a diagram illustrating a communication method between components in a token authentication and authorization system of a private blockchain-based IoT device according to an embodiment of the present disclosure.
3 is a diagram illustrating the configuration of a private blockchain node according to an embodiment of the present disclosure.
4 is a diagram illustrating a detailed configuration of a token authentication and authorization system of a private blockchain-based IoT device according to an embodiment of the present disclosure.
5 is a diagram illustrating a user and device authentication and control procedure in a token authentication and authorization system of a private blockchain-based IoT device according to an embodiment of the present disclosure.
6 is a diagram illustrating a user registration method in a token authentication and authorization system of a private blockchain-based IoT device according to an embodiment of the present disclosure.
7 is a diagram illustrating a user authentication method in a token authentication and authorization system of a private blockchain-based IoT device according to an embodiment of the present disclosure.
8 is a diagram illustrating an authentication method of an IoT device or platform in a token authentication and authorization system of a private blockchain-based IoT device according to an embodiment of the present disclosure.

Hereinafter, specific contents for carrying out the present disclosure will be described in detail with reference to the accompanying drawings. However, in the following description, if there is a risk of unnecessarily obscuring the subject matter of the present disclosure, detailed descriptions of well-known functions or configurations will be omitted.

In the accompanying drawings, identical or corresponding components are assigned the same reference numerals. In addition, in the description of the embodiments below, overlapping description of the same or corresponding components may be omitted. However, even if descriptions regarding components are omitted, it is not intended that such components are not included in any embodiment.

Advantages and features of the disclosed embodiments, and methods of achieving them, will become apparent with reference to the embodiments described below in conjunction with the accompanying drawings. However, the present disclosure is not limited to the embodiments disclosed below, but may be implemented in various different forms, and only the present embodiments allow the present disclosure to be complete, and those of ordinary skill in the art to which the present disclosure pertains. It is only provided to fully inform the person of the scope of the invention.

Terms used in the present disclosure will be briefly described, and the disclosed embodiments will be described in detail.

The terms used in the present disclosure have been selected as currently widely used general terms as possible while considering the functions in the present disclosure, but these may vary depending on the intention or precedent of a person skilled in the relevant field, the emergence of new technology, and the like. In addition, in a specific case, there is a term arbitrarily selected by the applicant, and in this case, the meaning will be described in detail in the description of the corresponding invention. Therefore, the terms used in the present disclosure should be defined based on the meaning of the term and the contents of the present disclosure, rather than the simple name of the term.

Expressions in the singular in this disclosure include plural expressions unless the context clearly dictates the singular. Also, the plural expression includes the singular expression unless the context clearly dictates the plural.

In the context of the present disclosure, when a part 'includes' a certain component, it means that other components may be further included, rather than excluding other components, unless otherwise stated.

In the present disclosure, the term 'module' or 'part' (part or portion) means a software component, a hardware component, or a combination thereof, and 'module' or 'unit' performs a specific role or function can be configured to However, 'module' or 'unit' is not meant to be limited to software or hardware. A 'module' or 'unit' may be configured to reside in an addressable storage medium, or may be configured to execute one or more processors. Thus, as an example, 'module' or 'unit' refers to components such as software components, object-oriented software components, class components and task components, processes, functions, properties, Includes procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays and variables. Components and 'modules' or 'units' described in the present disclosure may be combined with a smaller number of components and 'modules' or 'units', or additional components and 'modules' ' or 'parts'.

In the present disclosure, the term 'private blockchain' refers to a blockchain network or platform in which access is granted only to limited users, as opposed to a public blockchain that general users can access without restrictions. can do. In addition, a 'blockchain platform' may refer to a blockchain network composed of one or more blockchain nodes connected by a network. For example, a blockchain platform may represent a system that executes at least some of functions such as registration and deletion of users or IoT devices, authentication and authorization, and control by a blockchain network.

In the present disclosure, an 'IoT device' or a 'device' may refer to a lightweight hardware device such as a sensor, a portable computer, a wearable computer, etc. that is connected to the Internet of Things to collect, process, and transmit environmental data. For example, a device is installed in a smart home, smart factory, or smart city to sense and collect various surrounding environmental data (e.g., temperature, humidity, noise, image data, etc.) and transmit it to the IoT platform through the network. It may include, but is not limited to, a computing device.

In the present disclosure, the 'IoT platform' integrates the functions of hardware connection of devices, communication protocol processing between devices, providing security and authentication for devices and users, collection, analysis and visualization of data collected by devices, and other functions with other web services. It may mean software, middleware, firmware, hardware, or a combination thereof that can execute a function.

In the present disclosure, a 'system' may refer to a configuration including one or more IoT devices, IoT platforms, block chain networks, or a combination of any one or more thereof, for example, one or more computing devices, server devices , or may refer to a distributed computing device that provides a cloud service, but is not limited thereto.

1 is a diagram showing the configuration of a token authentication and authorization system of a private blockchain-based IoT device according to an embodiment of the present disclosure.

As shown, the system 100 may include a user terminal 110 , an IoT platform 120 , a blockchain platform 130 , and a plurality of IoT devices 140 . The user terminal 110 may be a computing device used by a user or an administrator who uses, monitors, and manages the system 100 or the IoT devices 140 connected to the system 100 . For example, the user terminal 110 may be a computing device such as a smart phone, a tablet PC, a desktop PC, a laptop PC, and the like, but is not limited thereto. The user terminal 110 may be connected to the IoT platform 120 or the blockchain platform 130 through an HTTP communication protocol, and may input user and device registration and authentication requests through a web-based user interface or receive the result. have.

In an embodiment, the user terminal 110 provides a user interface for authentication and authorization of a user (eg, an IoT device manager), provides a device management interface such as addition and control of an IoT device, and an IoT device collects It can provide functions such as monitoring and retrieval of one data, and providing an API that meets the oneM2M standard for application creation.

The IoT platform 120 may provide a function of connecting and managing IoT resources such as the IoT device 140 . In an embodiment, the IoT platform 120 includes a management function such as modification, deletion, analysis, and sharing of data collected through the IoT devices 140, an IoT protocol (eg, MQTT (Message Queuing Telemetry Transport), It can provide data communication support through lightweight message protocol such as CoAP (Constrained Application Protocol), HTTP protocol, etc.), IoT security function, and IoT platform interface provision function through API that satisfies oneM2M standard.

The blockchain platform 130 may include a blockchain network in which a plurality of blockchain nodes are interconnected. For example, a plurality of blockchain nodes may be connected in the form of a peer-to-peer network, where the network may include a wireless network such as Wi-fi, a wired network such as a LAN, or a combination thereof. .

In one embodiment, the block chain platform 130 may provide functions such as authentication and authorization of users and devices through a block chain network, authority setting, access control, and the like. In addition, the blockchain platform 130 may provide security functions such as storage and tracking of user account status, and prevention of hacking. For example, the blockchain platform 130 may transmit a request for main authentication through an API node when a user joins a membership, and may transmit an authentication code by mail through SMTP. In addition, as an API node, the blockchain platform 130 may process requests for front-end functions (eg, user membership registration, user login, addition and control of IoT devices and platforms, etc.). can In addition, the blockchain platform 130 may provide an application programming interface (API) so that the user terminal 110 can access the API server to transmit a request for management such as addition and control of IoT devices and platforms.

The IoT device 140 may be a lightweight hardware device including an input/output device capable of acquiring, collecting, storing, and transmitting environmental data, a memory, and a processor. The IoT device 140 may include a function of acquiring a device-specific characteristic value (ie, device DNA) using a physically unclonable function utilizing the hardware characteristic of the device.

2 is a diagram illustrating a communication method between components in a token authentication and authorization system of a private blockchain-based IoT device according to an embodiment of the present disclosure.

As shown, the user terminal 110 may transmit and receive data through the IoT platform 120 or the block chain platform 130 and a web-based communication protocol (eg, HTTP protocol).

The IoT platform 122 includes a connection and management function with the IoT devices 140 , a management function such as modification, deletion, analysis, and sharing of data collected through the IoT devices 140 , an HTTP protocol and a lightweight message protocol It may include an API server 122 that provides and executes an API that provides communication functions such as conversion between (MQTT protocol). The IoT platform 122 may be connected to the IoT devices 140 through the API server 122 using a lightweight message protocol.

On the other hand, the blockchain platform 130 may be configured as a private blockchain in which the user terminal 110 must have authority or membership in order to access the blockchain network. The user terminal 110 can be connected to any block chain node 134 of the block chain network only when it meets the requirements of rules or access rights set in advance in the block chain platform 130 .

The blockchain platform 130 may further include an API node 132 in addition to the blockchain nodes 134 . The API node 132 performs communication through the API with the user terminal 110 that connects the block chain platform 130 from the outside to request and receive or execute a smart contract from the block chain nodes 134 . can be controlled to do so.

Meanwhile, the API node 132 may provide the user terminal 110 with an application programming interface (API) that can access the blockchain node 134 . The user terminal 110 provided with the API from the API node 132 may access the API node 132 through the API, but cannot directly access the block chain node 134 . As such, by configuring the user terminal 110 to access the block chain network through the API node 132 instead of directly accessing the block chain node 134, IoT stored and managed by the block chain node 134 It is possible to strengthen the security of data related to device registration and authentication. The API node 132 may request a smart contract of the blockchain by performing RPC communication with the blockchain node 134 .

3 is a diagram illustrating the configuration of a private blockchain node according to an embodiment of the present disclosure.

As shown, the blockchain node 134 includes a distributed ledger to which blocks generated for one or more transactions (tx) 304 and smart contract (sc) 306 are connected. can do. The header of each block in the distributed ledger may include a hash value of the header of the previous block associated with one or more transactions. Here, the transaction may be made of hash values of the transaction.

In addition, the distributed ledger stored in the blockchain node 304 may further include blocks generated for the smart contract 306 . The blockchain node 134 may further include a storage 302 that stores one or more smart contracts.

4 is a diagram illustrating a detailed configuration of a token authentication and authorization system of a private blockchain-based IoT device according to an embodiment of the present disclosure.

As illustrated, the system 400 may include an HTTP protocol interface 410 , a front-end unit 420 , a back-end unit 430 , a lightweight message protocol interface 440 , and an RPC protocol interface 450 . . The system 400 may include all or a part of the system 100 illustrated in FIGS. 1 to 3 . In one embodiment, the front-end unit 420 of the system 400 may implement some components or functions of the user terminal 110 , the IoT platform 120 , and/or the blockchain platform 130 of the system 100 . may be included, and the backend unit 430 may include some components or functions of the IoT platform 120 and/or the blockchain platform 130 .

The HTTP protocol interface 410 may support the HTTP protocol for data communication between the user terminal 110 and the API server 122 or between the user terminal 110 and the API node 132 . In addition, the lightweight message protocol interface 440 may support a lightweight message protocol (eg, MQTT, CoAP, etc.) for data communication between the API server 122 and the IoT device 140 . In addition, the RPC protocol interface 450 may support a remote procedure call (RPC) protocol for data communication between the API node 132 and the blockchain node 134 .

The front-end unit 420 may include a web-based user interface, a cache module, and a token module. The web-based user interface may include a web page-based user interface that inputs data or information related to user registration, user authentication, and device authentication, and outputs results of user registration, user authentication, and device authentication. The cache module may manage a cache for temporarily storing data or information related to user registration, user authentication, and device authentication. Also, the token module may store a user token generated as a result of executing user authentication.

Also, the backend unit 430 may include a user authentication management module, an IoT device authentication management module, and an API module. The user authentication management module may execute generation and transmission of a verification code according to a user registration and user authentication request input by a user through a web-based interface, generation and transmission of a user certificate, and the like. Also, the IoT device authentication management module may generate and transmit a device certificate according to a device authentication request input by a user through a web-based interface.

The user may perform a user membership registration and login process in the private blockchain-based blockchain platform 130 through the web-based user interface of the front-end unit 420 . When a user requests a login through the web-based user interface, the request can be sent to the backend unit 430 to execute the authentication procedure through the block chain, and after successfully passing the authentication procedure, a specific right to the authenticated user can be authorized. can

In addition, users can monitor the blockchain in real time, such as the transaction processing status and smart contract processing status, in the blockchain network through the web-based user interface, and perform IoT device registration or deletion requests and control requests for IoT devices. can For example, the user may perform a control request for the IoT device, such as a request for monitoring information on a collection situation of environmental data through the IoT device, and operation control of the IoT device through the web-based user interface.

The user authentication management module and the IoT device authentication management module of the backend unit 430 are connected to the blockchain network, and the user registration and authentication requested by the frontend unit 420, authentication, registration or deletion of the IoT device, and the IoT device control function can be performed. In an embodiment, the user authentication management module and the IoT device authentication management module may check the authority of the user terminal 110 for the request of the front-end unit 420 from the block chain, user authentication, IoT device authentication or control function A smart contract can be requested from the blockchain node 134 through the RPC communication protocol for validation of

The API module of the backend unit 430 may provide an API capable of using a REST (representational status transfer)ful HTTP/HTTPs communication protocol, and may receive and execute an API call request defined from the frontend unit 420 . Also, the API module of the backend unit 430 may perform a data processing function in JSON (Javascript Object Notation) and Query Language formats for delivering a data object in the form of an attribute-value pair.

In the present disclosure, a 'REST (representational state transfer)ful API' may refer to a web service API based on an expressive state transfer technology. A RESTful API is, for example, an API that can connect to and interact with a blockchain network or cloud service, and can be configured to execute a transaction that needs to be executed by splitting it into a series of smaller operations. For example, a RESTful API is a GET function that can retrieve a resource such as an object, file, or block containing user information, IoT device information, registration and authentication information, etc., a PUT function that changes or updates the state of a resource, and a resource It can include a POST function that creates a , and a DELET function that deletes a resource.

In the present disclosure, the API module of the backend unit 430 or the API node 132 of the block chain platform 130 uses a RESTful API to effectively process web-based user registration and authentication, and authentication and control of IoT devices. can In other words, RESTful APIs are extensible to actively handle changes in service load, and because requests by APIs are limited to arbitrary instances of system or platform components and are not used by subsequent transactions. , useful for web service processing. In addition, since the operations executed in the RESTful API are processed by decoding a web address (eg, URL), it is effective to implement a service provision by a cloud service or a blockchain network.

The API module of the backend unit 430 can connect blockchain nodes using an open source remote procedure call communication protocol such as gRPC (gRPC Remote Procedure Calls) or gRPCs, and the protocol is Zero-Knowledge Proof. ) to provide anonymity. In addition, the API module can also control the information flow between the blockchain nodes and the user terminal based on the user's private key encryption algorithm.

5 is a diagram illustrating a user and device authentication and control procedure in a token authentication and authorization system of a private blockchain-based IoT device according to an embodiment of the present disclosure.

As shown, the user terminal (or user application) 110 in the system 500 may transmit a user or device authentication or control request to the block chain platform 130 (S510). In this case, the user terminal 110 may call the RESTful API using the HTTP communication protocol. In response, the block chain platform 130 may grant authentication or control authority for the user or device to the user terminal 110 (S520). The above procedures ( S510 and S520 ) will be described in more detail below with reference to FIGS. 6 to 8 .

Meanwhile, the user terminal 110 may transmit an inquiry request for data collected or managed by the IoT device 140 to the IoT platform 120 ( S530 ). In this case, the user terminal 110 may call the RESTful API using the HTTP communication protocol. In response, the IoT platform 120 may receive the requested data from the IoT device 140 (S540) and return it to the user terminal 110 (S550).

6 is a diagram illustrating a user registration method in a token authentication and authorization system of a private blockchain-based IoT device according to an embodiment of the present disclosure.

The user registration method 600 may be initiated by the user terminal transmitting a user registration request to the front end unit (S602). In response, the front-end unit may transmit a verification code transmission request to the back-end unit (S604). In addition, the backend unit may transmit a request for sending the verification code to the blockchain network (or blockchain platform) (S606).

1 to 5 , the user terminal 110 may input and execute a user registration request through a web-based user interface. For example, the user terminal 110 may input a user registration request including a user e-mail address, password, public key, etc. through a web-based user interface for user registration (or membership registration). Accordingly, the user terminal 110 may transmit a verification code transmission request to the user authentication management module of the block chain platform 130 using the HTTP protocol. The user authentication management module may transmit the corresponding verification code sending request to the blockchain node 134 using the RPC protocol by the API module (or API node).

Next, the blockchain network may generate a verification code (or verification code) (S608). For example, the verification code may be a 16-byte sized number generated by a random number generator function. In one embodiment, referring to FIGS. 1 to 5 , the API node 132 may request and execute a smart contract for generating a verification code from the blockchain node 134 .

When the verification code is generated, the blockchain network transmits an approval for sending the verification code to the backend unit (S610). In addition, the back-end unit sends the verification code to the front-end unit and executes redirection of the verification code input page (S612). For example, the front-end unit may send a verification code to the user's email account through an email, and display a verification code input page on the user terminal so that the user can input the verification code received through the email.

When the user inputs the received verification code to the verification code input page displayed on the user terminal (S614), the front-end unit may transmit the input verification code to the back-end unit (S616). In addition, the backend unit may transmit a user certificate issuance request to the blockchain network based on the transmitted verification code (S618).

In an embodiment, referring to FIGS. 1 to 5 , the user terminal 110 may execute input and transmission of a verification code through a web-based user interface. Accordingly, the user terminal 110 may transmit the verification code to the user authentication management module of the block chain platform 130 using the HTTP protocol. The user authentication management module may transmit a user certificate issuance request based on the corresponding verification code to the blockchain node 134 using the RPC protocol by the API module (or API node).

Next, the blockchain network may generate a certificate (S620). For example, the blockchain network can issue a certificate by signing the public key transmitted by the user including the user registration request with the ECDSA-based private key generated in the initialization stage of the blockchain network based on the verification code. have. In one embodiment, referring to FIGS. 1 to 5 , the API node 132 may request and execute a smart contract for generating a certificate from the blockchain node 134 . For example, the user certificate may be generated by an authentication algorithm based on a public key infrastructure (PKI).

The blockchain network transmits the generated user certificate to the back-end unit (S622), and the back-end unit transmits the received user certificate to the front-end unit (S624). The front-end unit may store the received user certificate in the user terminal (S626).

7 is a diagram illustrating a user authentication method in a token authentication and authorization system of a private blockchain-based IoT device according to an embodiment of the present disclosure.

The user authentication method 700 may be initiated by the user terminal transmitting a user authentication/authorization request to the front-end unit (S602). For example, the user terminal may transmit a user authentication request including hash message data generated after encryption and hashing with a secret key by combining user email address, password, and request time data to the front end unit. In response, the front-end unit may transmit a user authentication request to the back-end unit (S704). Also, the backend unit may transmit the corresponding user authentication request to the blockchain network (or blockchain platform) (S706).

1 to 5 , the user terminal 110 may input and execute a user authentication/authorization request through a web-based user interface. Accordingly, the user terminal 110 may transmit a user authentication request to the user authentication management module of the block chain platform 130 using the HTTP protocol. The user authentication management module may transmit the corresponding user authentication request to the blockchain node 134 using the RPC protocol by the API module (or API node).

Next, the blockchain network may execute user authentication through a hash message (S708). For example, the hash message includes email, password, and request time data, is hashed based on SHA256, and may be encrypted based on ECDSA. If the hash message is delivered to the blockchain node, it can be decrypted using the public key entered at the time of user registration request, and user authentication and data validation can be performed through the user's email address, password, and request time data. In one embodiment, referring to FIGS. 1 to 5 , the API node 132 may request and execute a smart contract for user authentication through a hash message to the blockchain node 134 .

The blockchain network generates a user token as a result of executing user authentication and transmits it to the backend unit (S710). In addition, the back-end unit transmits the user token to the front-end unit (S712), and the front-end unit transmits the corresponding user token to the user terminal (S714). The user token generated in this way is used as an input parameter necessary for all API calls performed by the user terminal after the user logs into the system (eg, IoT platform registration/deletion, IoT device registration/deletion, etc.) It is transmitted to the blockchain platform together with input parameters (request contents for registration/deletion). In addition, the blockchain node can validate the requested API through the passed token.

8 is a diagram illustrating an authentication method of an IoT device or platform in a token authentication and authorization system of a private blockchain-based IoT device according to an embodiment of the present disclosure.

The authentication method 800 of the IoT device or platform may be initiated by the user terminal transmitting an IoT device addition request to the front-end unit (S802). In response, the front-end unit may transmit a device addition request to the back-end unit (S804). In response, the backend unit may transmit a request for issuing a certificate based on user information to the blockchain network (or blockchain platform) (S806). For example, in the device addition request, a user token and user email address, a registered platform ID, an IoT device ID registered in the IoT platform, a name for device identification, location information, device description, and a camera for video data collection It may include an IP address and public key data of the IoT device. The parameters of the device addition request may be transmitted to the blockchain platform through the API.

1 to 5 , the user terminal 110 may input and execute a device addition request through a web-based user interface. Accordingly, the user terminal 110 may transmit a device addition request to the device authentication management module of the block chain platform 130 using the HTTP protocol. The device authentication management module may transmit a user information-based certificate issuance request to the blockchain node 134 using the RPC protocol by the API module (or API node) in response to the device addition request.

Next, the blockchain network may generate a device certificate (S808). In one embodiment, referring to FIGS. 1 to 5 , the API node 132 may request and execute a smart contract for generating a certificate from the blockchain node 134 . For example, the device certificate may be generated by a public key infrastructure (PKI)-based authentication algorithm. Specifically, the device certificate may be generated by using public key data input when a device addition request is made, and signing the public key data with the private key of the blockchain network.

The blockchain network transmits the generated device certificate to the back-end unit (S810), and the back-end unit transmits the received device certificate to the front-end unit (S812). The front-end unit may store the received device certificate in the user terminal (S814).

According to the various embodiments described above, the security and safety of the IoT platform can be improved by executing user registration, user authentication, and device authentication procedures using a private block chain in which access is granted to a restricted user.

When the user terminal executes user registration or user and device authentication, the user terminal provides a web-based user interface through the API node of the blockchain network using the HTTP communication protocol. and functions such as device authentication. In this way, the user terminal can receive necessary services using the existing web-based interface and communication protocol, and does not require an additional communication method or interface to access the block chain network. When the API node accesses the blockchain network based on the user registration, user and device authentication requests received from the user terminal, it can access the blockchain node using the RPC communication protocol. Therefore, the API node of the blockchain network implements the communication protocol conversion and data interworking between the external device and the blockchain node, so that efficient data communication can be achieved while maintaining the security of the system.

The system according to the various embodiments described above may represent various types of computing devices, such as a server computer, a desktop computer, a laptop computer, a modem installed outside or inside the computer, or a device communicating through a wireless channel. . Any of the computing devices described herein include a memory for storing instructions and data necessary for the execution of the method for providing data communication between the components of the system described above, as well as hardware, software, firmware, or a combination thereof. You may have combinations.

The techniques described herein may be implemented by various means. For example, these techniques may be implemented in hardware, firmware, software, or a combination thereof. Those skilled in the art will further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.

In a hardware implementation, the processing units used to perform the techniques include one or more ASICs, DSPs, digital signal processing devices (DSPDs), programmable logic devices (PLDs). ), field programmable gate arrays (FPGAs), processors, controllers, microcontrollers, microprocessors, electronic devices, other electronic units designed to perform the functions described herein; It may be implemented in a computer, or a combination thereof.

Accordingly, the various illustrative logic blocks, modules, and circuits described in connection with the present disclosure may include general purpose processors, DSPs, ASICs, FPGAs or other programmable logic devices, discrete gate or transistor logic, discrete hardware components, or It may be implemented or performed in any combination of those designed to perform the functions described herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, eg, a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in association with a DSP core, or any other such configuration.

For firmware and/or software implementations, the techniques include random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), PROM ( on computer-readable media such as programmable read-only memory), erasable programmable read-only memory (EPROM), electrically erasable PROM (EEPROM), flash memory, compact disc (CD), magnetic or optical data storage devices, etc. It may be implemented as stored instructions. The instructions may be executable by one or more processors, and may cause the processor(s) to perform certain aspects of the functionality described herein.

If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. Storage media may be any available media that can be accessed by a computer. By way of non-limiting example, such computer readable medium may contain RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or desired program code in the form of instructions or data structures. may include any other medium that can be used for transport or storage to a computer and can be accessed by a computer. Also, any connection is properly termed a computer-readable medium.

For example, if the software is transmitted from a website, server, or other remote source using coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, wireless, and microwave, the coaxial cable , fiber optic cable, twisted pair, digital subscriber line, or wireless technologies such as infrared, radio, and microwave may be included within the definition of a medium. As used herein, disk and disk include CD, laser disk, optical disk, digital versatile disc (DVD), floppy disk, and Blu-ray disk, where disks are usually magnetic Data is reproduced optically, while discs reproduce data optically using a laser. Combinations of the above should also be included within the scope of computer-readable media.

A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium may be coupled to the processor such that the processor can read information from, or write information to, the storage medium. Alternatively, the storage medium may be integrated into the processor. The processor and storage medium may reside within the ASIC. The ASIC may exist in the user terminal. Alternatively, the processor and the storage medium may exist as separate components in the user terminal.

Although example implementations may refer to utilizing aspects of the presently disclosed subject matter in the context of one or more stand-alone computer systems, the subject matter is not so limited, but rather in connection with any computing environment, such as a network or distributed computing environment. may be implemented. Still further, aspects of the presently disclosed subject matter may be implemented in or across a plurality of processing chips or devices, and storage may be similarly affected across the plurality of devices. Such devices may include PCs, network servers, and handheld devices.

Although the method mentioned in this specification has been described through specific embodiments, it may be implemented as computer-readable code on a computer-readable recording medium. The computer-readable recording medium includes all types of recording devices in which data readable by a computer system is stored. Examples of the computer-readable recording medium include ROM, RAM, CD-ROM, magnetic tape, floppy disk, and optical data storage device. In addition, the computer-readable recording medium is distributed in a computer system connected through a network, so that the computer-readable code can be stored and executed in a distributed manner. And, functional programs, codes, and code segments for implementing the embodiments can be easily inferred by programmers in the art to which the present invention pertains.

Although the present disclosure has been described in connection with some embodiments herein, it should be understood that various modifications and changes can be made without departing from the scope of the present disclosure as understood by those skilled in the art to which the present invention pertains. something to do. Further, such modifications and variations are intended to fall within the scope of the claims appended hereto.

100: Token authentication and authorization system of IoT device
110: user terminal
120: IoT platform
130: Blockchain Platform
140: IoT device

Claims (20)

A token authentication and authorization system for a private blockchain-based IoT device, comprising:
a front-end unit including a user interface for receiving at least one of a user registration request, a user authentication request, and a device authentication request inputted from a user terminal, and outputting a result of executing the request; and
and a back-end unit receiving the request from the front-end unit and executing at least one of user registration, user authentication, and device authentication,
The backend unit provides a plurality of private blockchain nodes including smart contracts capable of executing user registration, user authentication and device authentication, and an application programming interface (API) for executing the user registration, user authentication and device authentication. contains an API node that
The API node, in response to the request, provides an execution result of at least one of the user registration, user authentication, and device authentication using the API,
The API node, in response to the request sent from the front-end unit, creates a smart contract for executing at least one of the user registration, user authentication, and device authentication to any one of the private blockchain nodes through the RPC protocol. request,
The private blockchain node generates a verification code for user registration, a user token for user authentication, and a device certificate for device authentication, in response to a smart contract request sent from the API node. to run at least one of
system.
According to claim 1,
The system of claim 1, wherein the front-end unit sends the request to the API node through an HTTP protocol.
delete delete According to claim 1,
When the private blockchain node generates a verification code for user registration, the backend unit may send the verification code to the user of the user terminal by e-mail and input the verification code through the user terminal. A system that triggers the redirection of a webpage.
6. The method of claim 5,
When the user terminal receives the verification code, the front-end unit transmits the verification code to the back-end unit, and the back-end unit issues a user certificate based on the verification code through the API node. to generate the user certificate by sending it to any one of the
7. The method of claim 6,
The back-end unit is configured to transmit the user certificate to the front-end unit, and the front-end unit is configured to transmit and store the user certificate to the user terminal.
According to claim 1,
When the private blockchain node generates a user token for user authentication, the private blockchain node executes the user authentication through a hash message to generate the user token, and the backend unit sends the user token to the send to a front-end, wherein the front-end sends the user token to the user terminal.
According to claim 1,
When the private blockchain node generates a device certificate for device authentication, the back-end unit transmits the device certificate to the front-end unit, and the front-end unit transmits and stores the device certificate to the user terminal. constituted, system.
According to claim 1,
wherein the user interface is a web-based user interface.
According to claim 1,
The API is a REST (representational state transfer)ful API.
A token authentication and authorization method for a private blockchain-based IoT device, comprising:
receiving, by the front-end unit, at least one of a user registration request, a user authentication request, and a device authentication request inputted from a user terminal;
When receiving the request from the front-end by the back-end unit, executing at least one of user registration, user authentication, and device authentication - The back-end unit, a smart contract capable of executing user registration, user authentication and device authentication a plurality of private blockchain nodes including: an API node that provides an API (application programming interface) for executing the user registration, user authentication, and device authentication;
By the API node, in response to the request sent from the front-end unit, a smart contract for executing at least one of the user registration, user authentication, and device authentication to any one of the private blockchain nodes RPC protocol including making a request through
When receiving the request from the front-end unit by the back-end unit, executing at least one of user registration, user authentication, and device authentication comprises:
By the private blockchain node, in response to a smart contract request sent from the API node, generation of a verification code for user registration, generation of a user token for user authentication, and device certificate for device authentication performing at least one of generating,
Way.
13. The method of claim 12,
sending, by the front-end unit, the request to the API node via HTTP protocol.
delete delete 13. The method of claim 12,
When receiving the request from the front-end unit by the back-end unit, executing at least one of user registration, user authentication, and device authentication comprises:
When the private blockchain node generates the verification code for user registration, the backend unit sends the verification code to the user of the user terminal by e-mail, and enters the verification code through the user terminal. The method further comprising the step of executing a redirection of a webpage capable of being
17. The method of claim 16,
When the user terminal receives the verification code, the front-end unit transmits the verification code to the back-end unit, and the back-end unit issues a user certificate based on the verification code through the API node. The method further comprising sending to one of the blockchain nodes to generate the user certificate.
13. The method of claim 12,
When receiving the request from the front-end unit by the back-end unit, executing at least one of user registration, user authentication, and device authentication comprises:
when the private blockchain node generates a user token for user authentication, executing the user authentication through a hash message by the private blockchain node to generate the user token; and
sending, by the back-end unit, the user token to the front-end unit, causing the front-end unit to transmit the user token to the user terminal.
13. The method of claim 12,
When receiving the request from the front-end unit by the back-end unit, executing at least one of user registration, user authentication, and device authentication comprises:
When the private blockchain node generates a device certificate for device authentication, the back-end unit transmits the device certificate to the front-end unit, and the front-end unit transmits the device certificate to the user terminal. A method comprising the step of causing to store.
A computer-readable storage medium storing one or more programs configured to be executed by one or more processors of a computing device, comprising:
The one or more programs, comprising instructions for performing the method of any one of claims 12, 13, 16 to 19, a computer-readable storage medium.

Images